Identity theft is on the increase. It was recently reported that during 2005, 8.9 million people were affected by identity theft, at a total cost to business and individuals of US$56.6 billion. The cost per victim of this identity theft averaged US$6,383. These figures are expected to rise in the future as fraudsters devise smarter, more focused scams.
A major portion of the above identity theft is online identity theft. In that context, businesses with valuable intellectual property or electronically accessible financial assets are largely left to protect themselves. In most situations, these businesses have succeeded in securing their own networks, but that leaves the more daunting task of protecting a greater point of weakness—their customers.
While network and application security and back-end fraud detection are crucial elements in preventing fraud, many of the online security attacks today are targeted at individuals. As a result, companies are starting to deploy to customers stronger kinds of authentication. For example, one large multinational bank recently announced that it was deploying a security device in the form of a “one-time dynamic password generator” for their customers to use in accessing personal Internet banking.
One-time password generators are used to provide time dynamic passwords that are short enough for a user to enter into an authentication system. The one-time password generators are used to replace digital certificates which had previously been used for on-line security. The password generators are typically in the form of a remote fob (which is a small portable device carried by the user) comprising an on-board micro-processor, a button and a liquid crystal display (LCD) display. Upon a user pressing the button of the password generator, the micro-processor generates a one-time password.
In order to log on to a controlled application, such as the bank's Internet banking website, using one of the above one-time password generators, the user enters their user ID and a fixed (or static) password into the banking website using a personal computer, for example. The user then presses the button on the one-time password generator and a six (or greater number) digit password is generated by the password generator and is displayed on the LCD. The user then enters the six digit password into the banking website via a personal computer, for example. The server that hosts the banking website (hereinafter “the authentication server”) performs the same calculation as the user's password generator and then compare a resulting six digit value to the password provided by the user. If the one-password provided the user matches the value calculated by the server, the user's identity is confirmed prior to the user being allowed to carry out their personal Internet banking using the banking website.
The above one-time password generators typically function by taking an input value, encrypting the input value according to an encryption algorithm (e.g., RSA, Public Key Infrastructure (PKI), Data Encryption Standard (DES), Blowfish, International Data Encryption Algorithm (IDEA)), and displaying the result as the one-time password. The encryption algorithm uses a secret key stored within each password generator as part of the process to generate the password. Changing the secret key causes a different password to be generated, even if the same input value is used. The secret keys are assigned to specific users and thus tie the user to a specific password generator. The authentication server also has a copy of the user's secret key. As such, the authentication server can perform the same calculation as the user's password generator by taking the same input and calculating the correct one-time password.
There are two commonly used types of one-time password generators, namely “time-dependent” and “event-synchronous”. Time dependent password generators require a clock to be configured within the password generator and within the authentication server. Time dependent password generators take the current time as the input value. For example, every 20 seconds a time dependent password generator may read the time from their clock and use the time as the input value to generate a one-time password. The input value is then encrypted using the user's secret key as part of the encryption process. The resulting encrypted number becomes the one-time password. Time-dependent password generators are referred to as synchronous since both the time-dependent password generator and the authentication server obtain their input values from the time of day which should be, in theory, always the same. However, in reality, some host system clocks drift, requiring a system administrator to manually set the clock periodically. In contrast, the clocks in password generators cannot be set and may drift throughout the lifetime of the password generator. To accommodate the varying times within the time-dependent password generators, the authentication server typically has a window allowing the passwords to be some period of time (e.g., two (2) minutes) off.
Event-synchronous password generators do not rely on an internal clock and are therefore not subject to the same drift as time-dependent password generators. Instead, event-synchronous password generators use a simple counter as the input value. The internal counter is set to zero when a password generator is first initialised by a user. From that point on, each time an event occurs (e.g., when the user requests a new password), the counter is incremented and the incremented value is used as the input value. This input value is then encrypted with the result becoming the one-time password. Similarly, a counter is also associated with the user's account on the authentication server. This authentication server clock is initialised to zero when the account is created, and is incremented each time the user is authenticated.
Other types of password generators also exist, such as “asynchronous challenge/response” password generators which select a random number as input value to the encryption process.
Prior to using a one-time password generator, the password generator must be initialised, as mentioned above. Password generator initialisation again requires correct entry of the user's ID and fixed password into the controlled application (e.g., the Internet banking website). The user is then required to enter in a ten digit serial number located on the back of the password generator together with designated digits from the user's bank passport number into the banking website. However, one problem with the one-time password generators is that if a fraudster is able to gain access to a user's personal Internet banking details, the fraudster will be able to activate the password generator and perform fraudulent Internet banking transactions using the password generator.
Thus a need clearly exists for a more efficient password generator for use in providing secure access to a controlled application.